typescript-library-starter
typescript-library-starter copied to clipboard
Published
20 hours ago •
alexjoverm
alexjoverm
found 326 vulnerabilities (73 low, 1 moderate, 252 high)
Right after running npm install and entering the library name this is what I got:
added 1737 packages from 1582 contributors and audited 37136 packages in 363.727s
found 326 vulnerabilities (73 low, 1 moderate, 252 high)
run `npm audit fix` to fix them, or `npm audit` for details
Running npm audit fix fixed 229 of 326 vulnerabilities but still:
21 vulnerabilities required manual review and could not be updated
3 package updates for 76 vulnerabilities involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
Would be great to have zero vulnerabilities from the start.
Still a problem.
found 297 vulnerabilities (74 low, 1 moderate, 222 high)
fixed 220 of 297 vulnerabilities in 37345 scanned packages
1 vulnerability required manual review and could not be updated
3 package updates for 76 vulns involved breaking changes
fixed 76 of 77 vulnerabilities in 37290 scanned packages
1 vulnerability required manual review and could not be updated
3 package updates for 76 vulns involved breaking changes
I could fix all but one by using npm's audit tool. The remaining one is based on a pretty transitive dependency.
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ mem │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-release [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ semantic-release > @semantic-release/npm > npm > libnpx > │
│ │ yargs > os-locale > mem │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1084 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
